Today businesses generate, store, and share vast amounts of data across a multitude of platforms, cloud services, applications, and devices. Protecting this data, whether structured or unstructured, on-premises or in the cloud, and wherever it resides or moves, requires a well-defined and automated strategy.
The ability to accurately identify sensitive and business-critical data, detect security risks in an increasingly complex threat landscape, and dynamically prevent data loss can greatly enhance data security within organisations, while maximising efficiency and resource utilisation.
Microsoft Purview equips your IT team with powerful tools to safeguard sensitive corporate information, including generative AI content across both Microsoft and non-Microsoft platforms. To help you harness the full potential of Microsoft Purview, this blog explores the three key stages to achieving comprehensive data protection.
Microsoft Purview Data Protection
Step 1: Data Labelling
Unstructured data – such as files, documents, emails, messages – is a common part of most digital estates. To mitigate potential risks, it’s essential to first understand where sensitive data resides within your organisation, who has access to it, how it’s being used, how it’s shared and where it moves.
Microsoft Purview Information Protection makes it easier to manage sensitive data risks by providing a comprehensive overview of potential threats. It enables you to automatically discover, classify, and protect sensitive information across enterprise applications and services (including Microsoft 365 Copilot), devices, SaaS applications, and both cloud and on-premises environments. This holistic approach allows you to manage and mitigate risks more effectively.

The Microsoft Purview Information Protection SDK allows for seamless integration of Purview’s labelling and protection capabilities into third-party applications and services. This ensures consistent data protection and compliance across all platforms, extending beyond Microsoft’s ecosystem.
Step 2: Deployment of DLP Policies
Effectively safeguarding your most sensitive data requires identifying and preventing unauthorised or risky sharing, transferring, or usage across endpoints, applications, services, and on-premises files.
Microsoft Purview Data Loss Prevention (DLP) helps users make informed decisions when handling sensitive data, striking a balance between security and productivity. It protects sensitive information from exfiltration across applications, services, and devices, integrating seamlessly with your existing capabilities. Getting started is straightforward, with easy-to-configure DLP policies that can be deployed through an intuitive setup process.
The new capabilities Microsoft announced in 2024 within Purview Data Loss Prevention (DLP) will help security teams prevent sensitive data loss in the era of AI and include the introduction of DLP for Microsoft 365 Copilot. DLP for Microsoft 365 Copilot enables organisations to confidently adopt and use Copilot within the modern enterprise by implementing data protection measures. This capability helps ensure that sensitive document content is neither summarised by Microsoft 365 Copilot nor processed by Microsoft 365 Copilot for grounding data.
Alongside the recent introduction of DLP for Microsoft 365 Copilot, Microsoft have also added several
enhancements to help DLP admins effectively investigate incidents, strengthen protections, and refine their DLP programs. These capabilities include:
Expanded File Type Coverage for Endpoint DLP– Endpoint DLP will support a wider range of file types, ensuring more consistent coverage and protection across workloads.
Power Automate Integration– Users will be able to configure custom Power Automate workflows (like alert triage and investigation) as an action for DLP policies.
Security Copilot-Powered DLP Policy Understanding– Security Copilot will provide admins with policy summarisation in natural language and policy gap analysis based on their organisation’s requirements.
Full File Evidence (Microsoft-Managed)– Users will have the ability to store and access full files on Windows as evidence for investigations using Microsoft-managed storage. Blanket Protections for Non-Supported File Types Users will be able to apply general protections to file types that are not currently scanned or monitored by endpoint DLP.
Step 3: Utilising Machine Learning to Identify Potential Insider Risk
The rapid growth of digital data, combined with the rise of remote and hybrid work, has amplified concerns about insider risks. According to Microsoft’s 2024 Data Security Index, 63% of data breaches stem from insider activity, underscoring the major challenge organisations face in defending against the damage caused by the misuse of authorised access, whether accidental or malicious.1
Microsoft Purview Insider Risk Management leverages machine learning to analyse a wide range of signals, quickly identifying and addressing potential insider risks.
Purview Insider Risk Management (IRM) includes usage indicators and policy templates to detect both intentional and unintentional insider risk activities associated with generative AI (GenAI) applications, helping to address potential risks to organisations.
Detected activities made by Purview Insider Risk Management include risky prompts containing sensitive information or risky intent, as well as sensitive responses that contain sensitive information or information generated from sensitive files or sites. These detections also contribute to Adaptive Protection insider risk levels. To further support in the understanding of the potential risks posed by GenAI usage to an organisations data security, in 2024 Microsoft introduced new Communication Compliance GenAI metrics, including jailbreaks and hallucinations, as part of IRM indicators.
To enhance data security context for SOC teams’ investigations, Microsoft have made IRM alerts integrated into the Microsoft Defender XDR incident page, and as well as IRM analytics being available in Advanced Hunting, enabling more in-depth and complex analysis. This integration with Defender XDR
investigations provides IT teams with a more comprehensive view of the security landscape and
improves the efficiency of investigations by helping uncover indicators of potential user compromise. This
increased visibility helps reduce false positives and enhance incident containment with protective
actions that are more closely aligned with the data’s business value.
This proactive approach significantly reduces the time sensitive data remains exposed, enhancing security and minimising vulnerabilities. Without such technology, it takes an average of 86 days to detect and contain an insider incident, leaving your organisation’s data at risk for an extended and potentially damaging period.2
How CWSI Can Help
Are you ready to transform your data security and governance? CWSI has the expertise to help organisations build a robust data security strategy that not only ensures regulatory compliance but also supports business growth.
Contact us today to discover how we can empower your organisation with tailored solutions, cutting-edge technologies, and expert guidance to protect your data and drive success in today’s fast-paced digital first world.